Solved: Re: Recommended PPPoE Auth; DSL ISP Router or Bridge to FPR1010

TheGoob · ‎10-07-2022

Hello

I was wondering if there was any benefit or lack of to having my FPR1010 do the PPPoE and have my DSL Router in Bridge Mode.

I ask because I seem to, though not a lot, lose my Internet from time to time. I unplug DSL Router and plug it back in and it co9nnects and the FPR1010 grabs authentication. One would think well it is the DSL Router... But this dropping only ever started since I began using bridge mode for the FPR1010 to authenticate. But what throws me off is, if it is the FPR, why does only rebooting the DSL Router fix it? If it is the DSL Router, why did this only start with the usage of Bridge Mode?

TheGoob · ‎02-08-2023

Hello

Does the Internet completely drop or does it stay connected, just drop data flow?

I had an issue where it always stayed connected but after that first burst of data flow my internet would come to a complete stop, but stay connected.

I am not sure about Cable authentication but my DSL uses PPPoE. My FPR did not auto negotiate the MTU and MSS like my 5508-X did so after changing my MTU to 1492 which allots the remaining to auth and then [On Cisco FPR] under Advanced Configuration; FlexConfig; created FlexConfig Object ;TCP_MSS; sysopt connection tcpmss 1452 under variable and then add it under same menu to a FlexConfig Policy.

After/Since then I have had no further issues.

View solution in original post

Georg Pauwen · ‎10-09-2022

Hello,

what type/brand/model is the DSL router ?

CompSup · ‎02-08-2023

Hi there, I have exactly the same issue and I will like to know how to solve this.

I have reduced the MTU, change cables and replaced the ISP Modem. the FPR1010 have 3 types of PPP authentication: PAP, CHAP and MSCHAP. In my case I only use PAP and it works. But the connection will drop randomly for no reason. My fast workaround is to remove the cable from the FPR1010 port 1/1 and put it back in, few seconds later the connection is back.

Here is my ISP Router info:

Sagemcom Mod: Fast 5250, Home Hub 2000

TheGoob · ‎02-08-2023

Hello

Does the Internet completely drop or does it stay connected, just drop data flow?

I had an issue where it always stayed connected but after that first burst of data flow my internet would come to a complete stop, but stay connected.

I am not sure about Cable authentication but my DSL uses PPPoE. My FPR did not auto negotiate the MTU and MSS like my 5508-X did so after changing my MTU to 1492 which allots the remaining to auth and then [On Cisco FPR] under Advanced Configuration; FlexConfig; created FlexConfig Object ;TCP_MSS; sysopt connection tcpmss 1452 under variable and then add it under same menu to a FlexConfig Policy.

After/Since then I have had no further issues.

CompSup · ‎02-08-2023

Hey TheGoob!

What I will have is the device loosing connection to the internet. The FPR will remain connected with all lights working but the DSL modem connectivity lights in solid green. Unplugging/plugging the cable will restore the connection.

Can you please give some screen shots of those settings.?

TheGoob · ‎02-08-2023

Hello

This is the "bug" \;

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvu71743

and here is an original post with example and solution to fix;

https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/4506834#M1085303

TheGoob · ‎02-08-2023

Now, I put my MSS at 1452, and all seems to work fine. Original poster in link I believe set his to 1380.

What all that means, I know not. Maybe different Internet services..But for me, 1452 MSS works.

CompSup · ‎02-08-2023

Hey TheGoob!

Thanks for the pics!. I'm going to try that and see how it goes. Besides this, is there anything else?

TheGoob · ‎02-08-2023

Honestly that is all I can think of that I changed... If this does not work I would say your issue is different, or even try the 1380 MSS if the 1452 does not. If none of this works, I am out of ideas.

CompSup · ‎02-09-2023

Hey Guys!

I have started using 1380 on MSS and 1452 at MTU. I started this last night and since then I notice a drop on my speed connection. I will wait a few days to see if this holds and let you know.

TheGoob · ‎02-09-2023

Morning

Try 1492 MTU and 1452 MSS, that is what I use, no speed loss for me. I am sure for vpn or tunnels 1380 is standard but as far as I am concerned, 1380 is a big % smaller packet.

TheGoob · ‎02-12-2023

Any update?

CompSup · ‎02-21-2023

Hi

Sad to inform that those changes did not help. I'm still experiencing the same issue, not as critical as before but still happens.

here are some loggings

2023-02-21 10:42:08 Local4.Warning 10.0.0.30 Feb 21 2023 15:42:08: %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3094
2023-02-21 10:42:09 Local4.Warning 10.0.0.30 Feb 21 2023 15:42:09: %FTD-4-411002: Line protocol on Interface Ethernet1/1, changed state to down
2023-02-21 10:42:09 Local4.Critical 10.0.0.30 Feb 21 2023 15:42:09: %FTD-2-199014: port-manager: Alert: Ethernet1/1 link changed to DOWN
2023-02-21 10:42:10 Local4.Critical 10.0.0.30 Feb 21 2023 15:42:10: %FTD-2-199014: port-manager[7384]: Last message 'Alert: Ethernet1/1 l' repeated 1 times, suppressed by syslog-ng on FirePower-1010
2023-02-21 10:42:11 Local4.Warning 10.0.0.30 Feb 21 2023 15:42:11: %FTD-4-411001: Line protocol on Interface Ethernet1/1, changed state to up
2023-02-21 10:42:11 Local4.Critical 10.0.0.30 Feb 21 2023 15:42:11: %FTD-2-199014: port-manager: Alert: Ethernet1/1 link changed to UP
2023-02-21 10:42:12 Local4.Critical 10.0.0.30 Feb 21 2023 15:42:12: %FTD-2-199014: port-manager[7384]: Last message 'Alert: Ethernet1/1 l' repeated 1 times, suppressed by syslog-ng on FirePower-1010
2023-02-21 10:42:28 Local4.Warning 10.0.0.30 Feb 21 2023 15:42:28: %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3096

2023-02-21 12:28:28 Local4.Warning 10.0.0.30 Feb 21 2023 17:28:28: %FTD-4-411002: Line protocol on Interface Ethernet1/1, changed state to down
2023-02-21 12:28:28 Local4.Critical 10.0.0.30 Feb 21 2023 17:28:28: %FTD-2-199014: port-manager: Alert: Ethernet1/1 link changed to DOWN
2023-02-21 12:28:30 Local4.Critical 10.0.0.30 Feb 21 2023 17:28:30: %FTD-2-199014: port-manager[7384]: Last message 'Alert: Ethernet1/1 l' repeated 1 times, suppressed by syslog-ng on FirePower-1010
2023-02-21 12:28:31 Local4.Warning 10.0.0.30 Feb 21 2023 17:28:31: %FTD-4-411001: Line protocol on Interface Ethernet1/1, changed state to up
2023-02-21 12:28:31 Local4.Critical 10.0.0.30 Feb 21 2023 17:28:31: %FTD-2-199014: port-manager: Alert: Ethernet1/1 link changed to UP
2023-02-21 12:28:32 Local4.Critical 10.0.0.30 Feb 21 2023 17:28:32: %FTD-2-199014: port-manager[7384]: Last message 'Alert: Ethernet1/1 l' repeated 1 times, suppressed by syslog-ng on FirePower-1010
2023-02-21 12:28:35 Local4.Warning 10.0.0.30 Feb 21 2023 17:28:35: %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4542
2023-02-21 12:28:35 Local4.Warning 10.0.0.30 Feb 21 2023 17:28:35: %FTD-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 4 per second, max configured rate is 4; Cumulative total count is 17689
2023-02-21 12:49:19 Local4.Warning 10.0.0.30 Feb 21 2023 17:49:19: %FTD-4-411002: Line protocol on Interface Ethernet1/1, changed state to down
2023-02-21 12:49:19 Local4.Debug 10.0.0.30 Feb 21 2023 17:49:19: %FTD-7-713906: IKE Receiver: Interface 5(outside) going down
2023-02-21 12:49:19 Local4.Error 10.0.0.30 Feb 21 2023 17:49:19: %FTD-3-199015: port-manager: [mrvl_periodot_init.c:840]: _fmt
2023-02-21 12:49:19 Local4.Warning 10.0.0.30 Feb 21 2023 17:49:19: %FTD-4-199016: FPRM: <<%FPRM-4-LINK_DOWN>> [F1150][minor][link-down][sys/switch-A/slot-1/switch-ether/port-1] ether port 1/1 on fabric interconnect A oper state: link-down, reason: Down
2023-02-21 12:49:19 Local4.Critical 10.0.0.30 Feb 21 2023 17:49:19: %FTD-2-199014: port-manager: Alert: Ethernet1/1 link changed to DOWN
2023-02-21 12:49:19 Local4.Critical 10.0.0.30 Feb 21 2023 17:49:19: %FTD-2-199014: port-manager[7384]: Last message 'Alert: Ethernet1/1 l' repeated 1 times, suppressed by syslog-ng on FirePower-1010
2023-02-21 12:49:19 Local4.Info 10.0.0.30 Feb 21 2023 17:49:19: %FTD-6-199018: port-manager: Informational: Ethernet1/1 speed changed to Unknown
2023-02-21 12:49:19 Local4.Error 10.0.0.30 Feb 21 2023 17:49:19: %FTD-3-199015: port-manager: [mrvl_periodot_init.c:840]: _fmt
2023-02-21 12:49:19 Local4.Info 10.0.0.30 Feb 21 2023 17:49:19: %FTD-6-110003: Routing failed to locate next hop for TCP from inside:142.116.32.251/45181 to outside:162.244.7.17/443
2023-02-21 12:49:19 Local4.Info 10.0.0.30 Feb 21 2023 17:49:19: %FTD-6-110002: Failed to locate egress interface for UDP from inside:10.0.0.3/58567 to 94.140.14.14/53

2023-02-21 12:49:22 Local4.Error 10.0.0.30 Feb 21 2023 17:49:22: %FTD-3-199015: port-manager: [mrvl_periodot_init.c:840]: _fmt
2023-02-21 12:49:22 Local4.Info 10.0.0.30 Feb 21 2023 17:49:22: %FTD-6-199018: port-manager: force EEE state change successfull

2023-02-21 12:49:22 Local4.Warning 10.0.0.30 Feb 21 2023 17:49:22: %FTD-4-411001: Line protocol on Interface Ethernet1/1, changed state to up
2023-02-21 12:49:22 Local4.Warning 10.0.0.30 Feb 21 2023 17:49:22: %FTD-4-199016: FPRM: <<%FPRM-4-LINK_DOWN>> [F1150][cleared][link-down][sys/switch-A/slot-1/switch-ether/port-1] ether port 1/1 on fabric interconnect A oper state: link-down, reason: Down
2023-02-21 12:49:22 Local4.Critical 10.0.0.30 Feb 21 2023 17:49:22: %FTD-2-199014: port-manager: Alert: Ethernet1/1 link changed to UP
2023-02-21 12:49:22 Local4.Critical 10.0.0.30 Feb 21 2023 17:49:22: %FTD-2-199014: port-manager[7384]: Last message 'Alert: Ethernet1/1 l' repeated 1 times, suppressed by syslog-ng on FirePower-1010
2023-02-21 12:49:22 Local4.Info 10.0.0.30 Feb 21 2023 17:49:22: %FTD-6-199018: port-manager: Informational: Ethernet1/1 speed changed to 1000 Mbps / Full

Using MSS 1376 and MTU 1434. but every time I fix it checking with ping -f -l command I guess even lower. Right now I'm able to use only 1406 MTU.

I don't know what else to do? I need help!!!

jocke9292 · ‎03-02-2023

I don't know if I have the same issue. I've deployed two FPR 1010 in the last couple of weeks. On the first location which is a sub-office only have a site 2 site vpn to the main office. And on the main office there's the second unit. Which also run anyconnect VPN.

I don't have any problem at the sub-office only at the main office. It's different ISPs and they use a different CPE unit and router brand. At the main office the provider run a CTS hes 3106 as their CPE.

edit: Forgot to mention that I use static IP for the connections at both sites. And I'm seeing link up and down where users are loosing connection for less than a minute. Sometimes the cable for the outside interface needs to be unplugged and plugged back in to get the connection online.

CompSup · ‎03-09-2023

I still have issues with this device. I'm now more certain it is not the device as others are having the same issue. I have enabled loggins to a kiwi server and I'm able to see that after a "reset" of the FPR1010 it will take at least over 12 hrs. to see the down and up message to pop-up. Then after that it can go on and on for up to another 60 hrs. and then fail, like not bringing the port back up.

Removing the cable from any end and re-inserting it will bring the connection back after a few seconds. No restarts or reboots. What I don't understand is why the FPR1010 lights are all normal but the dashboard puts the port in "orange" and why the down-up only last 3 seconds until it won't put it back up.